tracker issue : CF-4200938

select a category, or use search below
(searches all categories and all time range)

Security Analyzer and dbtype="query" within cfquery

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): / ()

Created: 01/31/2018

Components: Security Analyzer

Versions: 2016,2018

Failure Type: Others

Found In Build/Fixed In Build: CFB-Alpha / 307666

Priority/Frequency: Normal /

Locale/System: ALL / Windows 10 64 bit

Vote Count: 0

Problem Description: 

The security analyzer displays errors when dbtype="query" is used within cfquery. Since cfquery is doing a query of queries and not interacting with a database, I do not think that these errors should show in the security analyzer results. Attached is an image that shows a cfquery and the sort and order parts will display as errors within the security analyzer. 

Steps to Reproduce: 
1. Use dbtype="query" via the cfquery tag and have code like pictured in the image
2. Run security analyzer
3. Results will display showing these as vulnerabilities

Actual Result: 

False vulnerabilities are displayed within the security analyzer.

Expected Result:: 

I would expect these false vulnerabilities to not display since the query is not interacting with a database.

Any Workarounds:



Travis Walters<> commented with Attachment(s) [mycode.png|]:User attached file(s) [Attachment Link|]
Comment by PRNext R.
29222 | January 31, 2018 07:36:17 PM GMT